10 December 2018

Former headteacher fined for breach of data protection legislation

A former headteacher has been fined £700 by the Information Commissioner’s Office (ICO) for unlawfully processing sensitive personal data of school children from his former schools.

Darren Harrison was Deputy Head at Isleworth Town Primary School in Twickenham. Just six months into his role, during a suspension, the IT department at the primary school came across vast quantities of sensitive personal data on the school server that related to pupils at Spelthorne Primary and The Russell School in Richmond, Mr Harrison’s former posts. The source of that information had been an upload from a USB stick, belonging to Mr Harrison.

Following an investigation, Mr Harrison provided no valid explanation as to how the personal data had made its way to the school’s server, claiming that the information had long been removed from the USB.

The breach was reported to the ICO, who conducted a further investigation, during which Mr Harrison admitted to taking the personal data from his previous schools for “professional purposes”. Mr Harrison was charged with two offences of unlawfully obtaining personal data in contravention of section 55 of the Data Protection Act 1998 and was fined £700 and ordered to pay £364.08 of costs, and a victim surcharge of £35 by Ealing Magistrates Court.

Mike Shaw the ICO’s Criminal investigation Group Manager, said:

“A headteacher holds a position of standing in the community and with that position comes the added responsibility to carry out their role beyond reproach. The ICO will continue to take action against those who have abused their positions of trust”

How to avoid this happening at your school

Although this prosecution was made under the old data protection regime, the new regime under the Data Protection Act 2018 has strengthened the action that can be taken by the police and the ICO to enforce data protection laws. And it is not only individuals who can be personally liable for data breaches they commit. It is more important than ever that schools do what they can to reduce the chances that their staff, at any level of seniority, commit data breaches. As data controllers, schools must be able to demonstrate they have a procedure in place to detect, investigate and internally report data breaches as they arise. In certain instances, employers (including schools) can also be held vicariously liable for the data breach of a member of staff (see the previous note on the Morrisons decision in November’s bulletin).

Here are some suggestions as to how schools can prevent similar breaches:

1. Schools should make sure that all incoming staff are made aware of your school’s data protection policy at their induction, and that refresher training is carried out periodically. The ICO recommends, as good practice, that all staff receive refresher training at least every 2 years, if not annually, to ensure that they fully understand their statutory obligations.

2. Schools should consider not allowing staff to use USB sticks and, instead, opting for alternative, more secure means of sharing large quantities of personal data. If this is not possible, schools can put in place a system that all USB sticks and external devices are to be scanned by the school’s IT department before data is uploaded to school servers. This procedure should be included in your IT policy (or similar) to ensure that all staff are aware.

3. The data protection lead should be alerted when large uploads or downloads are undertaken by a member of staff. Your IT departments should be able to monitor this remotely.